1. Field of the Invention
This invention relates to a communication system (xe2x80x9cnetworkxe2x80x9d) and more particularly to a network of structurally organized nodes which can identify secured access to the network, forward data across the network according to security levels, reject unsecured accesses, authorize transmission from the network, and detect network locations undergoing security violations.
2. Description of the Related Art
A communication network is generally regarded as an interconnected set of subnetworks or subnets. The network can extend over localized subnets as an intranet, or can extend globally as an internet between one or more intranets. A communication network can therefore forward data within a localized network between termination devices extending to almost anywhere around the world. The termination devices include any data entry/retrieval system (e.g., telephone or computer), and a network includes a local and/or global interconnection of termination devices configured on one or more subnets.
The basic underpinnings of network operation is the various protocols used to communicate across the network. A popular foundation for those protocols is the Open System Interconnect (xe2x80x9cOSIxe2x80x9d) model. Using that model or a derivative thereof, protocols can be developed which work in concert with each other. A popular communication protocol includes the Transmission Control Protocol (xe2x80x9cTCPxe2x80x9d) and the Internet Protocol (xe2x80x9cIPxe2x80x9d). TCP/IP are used in networks that are known as packet-switched networks. The advent of asynchronous transfer mode (xe2x80x9cATMxe2x80x9d) has brought about a divergence from packet-based standards to one using a cell-switched network. Packet-switched and cell-switched networks are in contrast with circuit-switched networks, such as the telephone system. As opposed to maintaining a fixed routing connection for the transmitted message, packet or cell switching evenly allocates or xe2x80x9cswitchesxe2x80x9d packet or cell portions of the message across dissimilar routes of the network. The term packet switching henceforth refers generically to switching message portions, regardless of whether that portion is a cell or packet.
In a packet-switched network, each packet of a particular message may be sent across different routes of the network at the same time and then reassembled at the proper termination device. In order to ensure the packets are properly received, certain layers of the OSI protocol stack will wrap the data before the data is sent across the network. For example, TCP can divide data into segments which are then placed into, for example, IP datagrams having a header which includes the IP address of the originating and receiving termination devices. It is not until the IP has been wrapped possibly several times will the TCP be forwarded across the network.
An important aspect of network management and administration is the need to control accesses to the network infrastructure. Accesses can be controlled for numerous reasons, some of which include security and prioritization. Security deals with restricting improper accesses, while prioritization deals with prioritizing an access to a shared resource.
There are various ways in which to secure a communication network, all of which deal with mechanisms which prevent unauthorized access to packets of data, such access is often referred to as xe2x80x9cpacket sniffingxe2x80x9d and/or xe2x80x9cpacket spoofingxe2x80x9d. Common security mechanisms include use of firewalls implemented in hardware and software (e.g., proxy servers, bastion hosts, filtering routers) and/or authentication systems implemented in solely in software (e.g., passwords and encryption code). Most firewalls use some form of screening subnet architecture that analyzes the incoming internet packet to determine if that packet should be placed on the internal, intranet structure. Analyzing the packet and, more specifically, the source and destination of that packet, typically adds a lag time or latency at the interface between the intranet and the internet Placing an encryption code also adds overhead to the packet and involves time-consumptive decryption at the receiving end of the network. Use of passwords appears less consumptive of transmission bandwidth. Passwords, however, can sometimes be readily broken either through a user""s improper choice of password name or through a hacker sending thousands of user names and passwords until a successful combination is achieved.
It would be of benefit to secure a network without requiring the overhead of conventional firewalls. For example, eliminating routing tables within either an interior or exterior filtering router, eliminating a dedicated network of a bastion host, eliminating encryption bits and decryption, and eliminating user-specified passwords would prove beneficial if the same level (or possibly a higher level) of security could be maintained. An improved level of security which avoids conventional firewalls is preferably one based on an analysis of each packet as the packets are switched throughout the network. Analysis on each packet could desirably be performed without requiring a circuit-switched path or dedicated, private path such as those found in private lines and/or Virtual Private Lines (xe2x80x9cVPLsxe2x80x9d) attributable to a Virtual Private Network (xe2x80x9cVPNxe2x80x9d). VPNs and circuit-switched networks impose significant limitations on bandwidth utilization and network throughput and therefore should be avoided as a security solution.
Modern day networks are expected not only to be highly secure, but also to support numerous types of applications, some of which may require greater bandwidth than others. Other applications may require deterministic response time across the network. Network managers may be required to adapt the network, or at least portions of the network, so that it can guarantee a predetermined amount of bandwidth and/or propagation time for a requested Quality Of Service (xe2x80x9cQOSxe2x80x9d). The term xe2x80x9cQOSxe2x80x9d generally subsumes all the various terms used to describe xe2x80x9caccessesxe2x80x9d between a pair of termination devices. Access is therefore a term that can be quantified to include the speed and degree of security by which packets travel between termination devices and the fault tolerance measures which ensure the transmitted signal is clear and accurate.
The network manager may require, for example, fast, highly secure communication between termination devices residing on a local intranet, whereby the termination devices are sending both voice and video in a time-sensitive manner. There may be other intranets, however, that are not sending time-sensitive information, each of which may be connected to the intranet allocated to higher speed. The network manager may therefore need to give priority to packets sent (or received) to and from some, but not all, termination devices within the network. In other words, a need exists for allocating bandwidth through a shared resource such as a network link, switch or router, or arbitrating among competing devices that are requesting various types of accesses to the shared resource.
Conventional QOS, however, cannot provide an accurate determination of a delay (i.e., response time) between a request sent by a termination device and a response returned to that device. For instance, the transmission delay varies depending on whether the routing table portion of interest resides in the control processor cache or is within the system memory linked to the control processor by a system memory bus. Time needed to access the routing tables will therefore vary across the network leaving uncertainty as to when the requested packets will be returned to the requesting agent. Thus, conventional QOS solutions cannot guarantee response times even though a specific class of service has been designated. Instead, QOS is limited to determining availability and reliability of the transmission path not, e.g., worst case response time.
It would be of benefit to be able to specify a QOS and to designate classes of service for certain accesses within the network based on the time-sensitive nature by which the applications must operate. The benefit would be derived in designating certain nodes according to a structure and to guarantee worst case response time between those nodes based on the classes of service and reserved bandwidth unique to those nodes. The desired QOS would benefit by implementing packet-based classes of services. The classes of service might beneficially extend to security codes attributed to those classes so that not only could performance be assured, but also security.
The problems outlined above are in large part solved by a network that is structured according to where packets are routed within the network. The structure can be associated with geographic routing or use-type routing, or any other associative routing where certain nodes are grouped in a hierarchy, or structured level, different from other nodes. For example, a group of nodes associated with a local area network (LAN) may have a hierarchical designation different from another group of nodes of a subnet outside the LAN. The structured network transmits data according to a packet-switching protocol and employs QOS to assign priority, performance and security to the packets as they travel across the structured network.
The network includes a plurality of forwarding modules linked together between termination devices. Within one or more of the modules is a mapping table which assigns a priority code and/or security code to the packet depending on, say, an address from which the packet of data was sent. The address can be that of another forwarding module earlier in the data flow path, or a termination device used to input data into the network. The address can further be a user level differentiator within a terminating device.
The forwarding module can forward or direct packets of data placed in various protocols, including IP, ATM, IPX, DEC, NET, Apple Talk, etc. The modules are arranged as nodes: they are topologically related to one another based on their position within the network, the destination routing path, and/or their use. The modules, due to an awareness of their position or location, allow adaptive fast forwarding of packets across the network. The modules represent an improvement over conventional switches and/or routers. Instead of statically routing packets in the same manner each time, as in switches, the modules include some features of conventional routers, yet without the lag time of routing table look up. The modules can forward or direct packets of data relatively fast (similar to conventional switches), and can dynamically change the forwarding path based on activity within the network (similar to conventional routers).
Groupings of modules can be designated to a specified class or hierarchical level. Each module is preferably assigned a unique identification number possibly relating, in part, to the hierarchical level of the network. For example, the most significant field of bits may be allocated to the highest hierarchical level of modules, followed by the next most significant field allocated to next highest level of modules. With each level of hierarchy, structure is provided. The modules are organized according to some predetermined structure within a given hierarchical level which is reflected in the field of the identification number corresponding to that level. Distributed routing can therefore be achieved by comparing a destination address of the wrapped packet with identification numbers of those hierarchical levels depending on the location of the module receiving the incoming packet. Modules therefore determine the directional flow of the incoming packet based on comparing (or decoding) the destination address of the packet with the relative position of the module indicated by the module""s identification number. As the result of this direction/forwarding operation, traditional routing methods are eliminated. Also, decoding operations eliminate routing in what was determined, at a higher hierarchical level, to be an unused path. Decoding within lower levels can be restricted only to those modules that the higher levels point toward. Moreover, decoding can be accomplished in a fairly rapid manner and need not occur if a comparison at the higher level will direct the packet to another branch of lower level modules. Accordingly, the structured network can be thought of as having a relative or deterministic routing topography absent the detriments of conventional routers. Hence the deterministic routing acts as a distributed router. Instead of performing routing functions at every node in the network, the distributed router performs incremental routing functions at every node and the data forwarding function is achieved across the entire network. It is important to note that the structured network hereof can form the entirety of the intranet and internet network, or form simply a portion of a conventional (non-structured) intranet/internet network. Thus, the structured network can extend between termination devices, or simply as a portion of a conventional network that extends between termination devices.
The modules can be classified as an end module, a pass-through module, or an intermediate module. The end module are those that are configured adjacent termination devices and are used to perform protocol wrapping functions as packets enter the structured network or strip protocol when packets exit the network. The end modules also perform a routing function similar to intermediate modules or pass-through modules. The modules can be configured in hardware to be substantially the same, with only, the programmed function being different based on where within the network the module will be placed. Each module includes a minimum of one bi-directional port and a traffic manager which controls the port or ports. The traffic manager includes a decoder and various buffers. The decoder performs a comparison between a destination address and the identification number of that module based on the position of that module within the overall structured network.
The structured network is one that is compatible with protocols currently used in, for example, the OSI model. Through a series of read or fetch operations, the traffic manager reads wrap information from a buffer within the entry module and assigns that wrap information to the incoming packet. The wrap information simply appends a header and optionally a trailer to the packet, transparent to the protocol of the incoming packet. When the packet arrives upon the exit module, wrap information is stripped from the original packet and a relatively small mapping table may be used to forward the packet to the appropriate destination termination device. The packet is therefore forwarded throughout the structured network from the entry module to the exit module without having to perform conventional look-up operations. The wrap information includes the security code and the priority code assigned to the entry module either by virtue of the identification number of the incoming packet, identification of the entry module, or the hierarchical/structural level assigned to the entry module.
Both the security code and the priority code are placed within the header of each individual packet so as to assign a QOS on a packet-by-packet basis. The added flexibility of assigning QOS to each packet not only enhances the dynamics of resource allocation over a relatively short period of time, but also establishes a packet-switched security network. The network is a structured network that is setup and controlled independent of the data flow path. By separating the data flow path from control and setup including QOS control, it can be assured that security features (packet sniffing and packet spoofing) are substantially eliminated at each module since accesses via the. network data flow path to control information cannot be achieved.
Each module can be setup to send or accept packets originating from or addressed to specific modules of the structured network. Thus, each module can be assigned a security code that is placed on the packet traversing that module, and the downstream module will either grant access or deny access based on security code placed upstream. This allows for private line type security services with guaranteed private access, but within a packet-switched environment without having to dedicate a circuit or path in times when the circuit or path is not being used. The modules can be programmed to only pass certain classes of messages based again on the security class of the originating, or upstream, module as designated by the identification number of that module and/or the security code assigned to that module. Along with the header, a trailer may be added to the packet to note if a security breach has occurred somewhere within the secured network, and the location of that breachxe2x80x94either packet sniffing or packet spoofing at a particular module having a unique identification number or security code.
In some instances, unique security code can be assigned to each module. In other instances, there could be a unique identification number for each module and several security codes assigned to groupings of modules based on the secured status or class of those grouped modules. The same applies to the priority code also.
The exit end module may contain one or more mapping tables selectable by the security code transferred with the packet that arrives on the exit end module. The selected mapping table contains a grouping of identification numbers attributed to the upstream module or the entry end module. If the identification number forwarded with the packet matches with an identification number in the selected table, then it is known that the termination device connected to the exit end module is authorized to receive the packet arriving upon the exit end module.
The entry end module and the exit end module provide security identification and security authorization. Optionally, the trailer placed upon the packet can include the number of modules traversed and the identification number of each module. If the count number of modules traversed does not equal the identification number entries, then a security breach is detected and, based on the user""s configuration data, isolation of the breached identification number can be determined. From that identification number, an access violation can be pinpointed to a specified module and therefore a termination device connected to that module.
The entry or intermediate module may also assign a priority code based on the incoming identification number of either a termination device, a user from a termination device, or an upstream module and the bandwidth allocated to that upstream module or termination device. For a specified bandwidth allocation, priority is given depending on whether the incoming packets of data exceed or are less than the allocated bandwidth. The entry or intermediate module will select incoming packets from dissimilar nodes upon the shared resource (interconnect bus or link) depending on the priority code of the incoming packet. If one packet priority code is higher than the other, than the module will operate as an arbiter and select the higher priority packet based on one of numerous types of arbitration schemes.
Both priority codes and security codes can be assigned to modules according to various hierarchical levels of the network, each level being assigned based on where the nodes or modules are arranged structurally relative to one another within the network. For example, the highest priority level may be attributed to a single loop of interconnected modules needing significant bandwidth resources for use in videoconferencing applications, whereas a lower priority may be assigned to packets destined to one or more modules of another loop where voice transmission is all that is needed, both loops possibly connected to form a multi-loop subnet.
According to one embodiment, a communication network is provided having a plurality of forwarding modules. The modules can be classified as entry modules, intermediate modules, or end modules. It should be noted that an entry module can be an intermediate module as well as end module for packets originating from other modules in the network. An entry module can be used to determine if data coming into the entry module will be transferred as secured data to the communication network. The entry module can include a decoder coupled to receive an identification number of an entry device and data from that device. A storage device may be further included within the entry module and configured with a set of bits. A compare unit of the entry module may be coupled between the decoder and the storage device for comparing the identification number with the set of bits to determine if the data will be transferred as secured data. The entry device can be a node within another communication network, or a termination device. The storage device may include a register or any temporary storage unit. The identification number can be thought of as an address unique to the entry device.
The entry module may further include a buffer containing a security code and a traffic controller coupled to the buffer. The traffic controller may read the security code from the buffer and place the security code and identification number within a packet comprising the forwarded data. A counter may be used to count the number of accesses upon the entry module by the entry device and block further accesses if a count value exceeds a value stored within the storage device. The entry module may further include a mapping table coupled to map the incoming identification number to a corresponding security code. The incoming data is arranged within a single packet and the secured data is transferred to the communication network on a packet-by-packet basis.
An exit module of the communication network may include an output port adapted to receive a packet of data having a header. The header includes a security code and an identification number. A storage device is contained within the exit module and comprises a plurality of tables, one of which may be selected by the security code of the packet header. The exit module may also include a compare unit coupled between the output port and the storage device for comparing the identification number with entries within the selected table to determine if the identification number derives from a secured path that extends at least partially through the communication network. As such, the tables are used to authorize transmission of a secured packet through a termination device coupled to the exit module. The table may also be used to assure that the identification number of the entry module, or an intermediate module, has assigned to it a security code of a proper hierarchical level. The packet is either secured or not secured and, if secured, the exit module confirms security before sending the secured packet to a termination device that can read the packet.
The secured path thereby extends from a secured module within the communication network. The secured module is one having been assigned the security code and the identification number and placed the code within a header of a packet received by the exit module output port. A decoder within the exit module may be used to decode a grouping of bits within the security code to select one of a plurality of tables. According to one example, the grouping of bits may be selected as the most significant bits within the security code.
A decoder within intermediate forwarding modules forces a secure packet to be forwarded only when there is a security code mismatch of the incoming packet with its security tap enable. These forces secure broadcast packets to be visible to only other modules within the network that are authorized to receive this particular secure broadcast transmission. Similarly, if a secure packet is destined to a non-secure module, the packet will be rejected by the exit node decoder to prevent a security breach.
Each identification number is preferably a unique number and the security codes are assigned according to their security level or class of service. That is, a grouping of modules that are related to one another may have the same security code, but dissimilar from a security code of another grouping placed within the same network, or which control routing to dissimilar locations. The entry module may be coupled to assign and transfer a security code and an identification number to a packet of data. An exit compare unit within the exit module is coupled to receive the packet of data and compare the security code and the identification number before transferring the packet of data from the communication network. Each of the intermediate modules may also include a storage device containing a security code and a compare unit coupled to receive an incoming packet and compare the incoming security code against the security code of the intermediate module to define a secured path through the communication network.
The entry modules, intermediate modules, and exit modules are generically referred to as xe2x80x9cforwarding modules.xe2x80x9d Each forwarding module includes an input port coupled to receive an incoming packet of data. A forwarding module can also include a mapping table which assigns a priority code to the packet depending on the address from which the packet of data was sent. The address is defined as the identification node of the upstream termination device or module. According to one example, the priority code is assigned depending on an amount of bandwidth allocated to a section of the data flow path to which the packet of data is forwarded from the module. The amount of bandwidth may include an allocated transmission speed of that section of data flow path. The priority code may be maintained for a plurality of successive packets provided the number of bits forwarded per second by the plurality of successive packets is less than the allocated transmission speed. The priority and/or security code may also be maintained for a plurality of forwarding nodes resulting in segment based priority and/or security transmission.
Thus, in addition to providing packet-by-packet security codes and identification numbers, the communication network also provides packet-by-packet priority codes. Similar to security, priority can be assigned based on various factors, such as the overall structure of the network, levels of structure, interrelationships of various structurally related nodes and/or modules, the destination address, the source address, or both, so as to achieve data link type functionality. Data link type functionality allows us to have high priority data transmission paths across multiple levels of hierarchy without requiring the particular address having high priority across all of these levels of hierarchy. The priority codes are used to provide a guaranteed response time through certain paths of the network, regardless of whether those paths are secured or not.
The communication network can therefore be thought of as including a first forwarding module coupled to receive a first packet of data and assign a first priority code to the first packet of data depending on an address from which the first packet of data was sent. The network may therefore include a second forwarding module coupled to receive a second packet of data and assign a second priority code to the second packet of data depending on an address from which the second packet of data was sent. An arbiter is coupled to forward the first packet of data across a portion of the communication network instead of a second packet of data if the first priority code is higher in priority than the second priority code. The arbiter is therefore said to grant accesses to downstream paths depending on the priority code of the incoming packets. Thus, the arbiter decides how to utilize a shared resource (e.g., the downstream path) when two or more packets arrive upon a network node or module. There are various ways in which the arbiter forwards multiple packets from one source before forwarding multiple packets of another source. Fixed arbitration may be one method, round-robin arbitration may be another.
The first forwarding module may be coupled within a first hierarchical portion of the communication network and have a first storage device containing a first grouping of bits unique to that first level. The second forwarding module may be coupled within a second hierarchical portion and have a second storage device containing a second grouping of bits unique to the second level. A third forwarding module may be coupled within a third hierarchical portion and include a third storage device containing a third grouping of bits unique to the third level, as well as an arbiter coupled to forward a packet of data from either the first forwarding or the second forwarding module depending on a comparison of the first, second, and third groupings of bits.
The arbiter may therefore be used to forward the packet of data from the first forwarding module if the first grouping of bits yields a first level of priority greater than the second level of priority. Alternatively, the arbiter can forward the packet of data from the first forwarding module if the first grouping of bits yields a first level of priority the same as the third level of priority. Still further, the arbiter may forward the packet of data from the first forwarding module if the first grouping of bits yields a first level of priority different from the third level of priority. Regardless of the arbitration algorithm used, the arbiter decides which packet of data is to be forwarded to a shared resource. The first, second, and third groupings of bits are read from the first, second, and third storage devices and appended to data forwarded from the first, second, and third forwarding modules, respectively. Importantly, the first, second, and third groupings of bits are set by instructions sent over a bus separate from the data flow path of the communication network. In this manner, a hacker cannot sniff or spoof data packets by accessing security registers and/or mapping tables configured within the forwarding modules. Absent access to sensitive mapping information contained therein, a hacker cannot tap into, write, or read packets of data sent across the structured, secured network.